allow mixing of whitelist and private

author: netblue30 <netblue30@yahoo.com> 2015-11-17 10:41:52 -0500
committer: netblue30 <netblue30@yahoo.com> 2015-11-17 10:41:52 -0500
commit: c3bd40d2404319cca625ecc521a4514d27e8f76a (patch)
tree: e26c188478bd45e28c44f58d33e8f06243410c88
parent: handle ~/.config/user-dirs.dirs (diff)
download: firejail-c3bd40d2404319cca625ecc521a4514d27e8f76a.tar.gz
firejail-c3bd40d2404319cca625ecc521a4514d27e8f76a.tar.zst
firejail-c3bd40d2404319cca625ecc521a4514d27e8f76a.zip
4 files changed, 50 insertions, 7 deletions
diff --git a/src/firejail/fs_whitelist.c b/src/firejail/fs_whitelist.c
index fd2a29372..9203e3d00 100644
--- a/src/firejail/fs_whitelist.c
+++ b/src/firejail/fs_whitelist.c
@@ -213,6 +213,15 @@ void fs_whitelist(void) {
                // check for supported directories
                if (strncmp(new_name, cfg.homedir, strlen(cfg.homedir)) == 0) {
+                        // whitelisting home directory is disabled if --private or --private-home option is present
+                        if (arg_private) {
+                                if (arg_debug)
+                                        printf("Removed whitelist path %s, --private option is present\n", entry->data);
+                                *entry->data = '\0';
+                                continue;
+                        }
                        entry->home_dir = 1;
                        home_dir = 1;
                        // both path and absolute path are under /home
@@ -271,6 +280,7 @@ void fs_whitelist(void) {
                
        // create mount points
        fs_build_mnt_dir();
+        
        // /home/user
        if (home_dir) {
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c
index 384688b54..c105894bb 100644
--- a/src/firejail/sandbox.c
+++ b/src/firejail/sandbox.c
@@ -354,13 +354,7 @@ int sandbox(void* sandbox_arg) {
        //****************************
        if (cfg.profile) {
                // apply all whitelist commands ... 
-                if (arg_whitelist) {
+                fs_whitelist();
-                        // whitelist commands are disabled if --private or --private-home option is present
-                        if (arg_private == 0)
-                                fs_whitelist();
-                        else
-                                fprintf(stderr, "Warning: whitelists disabled by private or private-home\n");
-                }
                
                // ... followed by blacklist commands
                fs_blacklist();
diff --git a/test/private-whitelist.exp b/test/private-whitelist.exp
new file mode 100755
index 000000000..b78eb3b61
--- /dev/null
+++ b/test/private-whitelist.exp
@@ -0,0 +1,36 @@
+#!/usr/bin/expect -f
+set timeout 10
+spawn $env(SHELL)
+match_max 100000
+send -- "firejail --private --whitelist=/tmp/.X11-unix\r"
+expect {
+        timeout {puts "TESTING ERROR 1\n";exit}
+        "Child process initialized"
+}
+sleep 1
+send -- "ls -al /tmp\r"
+expect {
+        timeout {puts "TESTING ERROR 2\n";exit}
+        ".X11-unix"
+}
+sleep 1
+send -- "ls -a /tmp | wc\r"
+expect {
+        timeout {puts "TESTING ERROR 3\n";exit}
+        "3"
+}
+sleep 1
+send -- "ls -a ~ | wc\r"
+expect {
+        timeout {puts "TESTING ERROR 4\n";exit}
+        "4"
+}
+sleep 1
+puts "\nall done\n"
diff --git a/test/test.sh b/test/test.sh
index 61e5cce35..fdb1f8ed7 100755
--- a/test/test.sh
+++ b/test/test.sh
@@ -30,6 +30,9 @@ echo "TESTING: private-etc"
 echo "TESTING: private-bin"
 ./private-bin.exp
+echo "TESTING: private whitelist"
+./private-whitelist.exp
 sleep 1
 rm -fr dir\ with\ space
 mkdir dir\ with\ space
author	netblue30 <netblue30@yahoo.com>	2015-11-17 10:41:52 -0500
committer	netblue30 <netblue30@yahoo.com>	2015-11-17 10:41:52 -0500
commit	c3bd40d2404319cca625ecc521a4514d27e8f76a (patch)
tree	e26c188478bd45e28c44f58d33e8f06243410c88
parent	handle ~/.config/user-dirs.dirs (diff)
download	firejail-c3bd40d2404319cca625ecc521a4514d27e8f76a.tar.gz firejail-c3bd40d2404319cca625ecc521a4514d27e8f76a.tar.zst firejail-c3bd40d2404319cca625ecc521a4514d27e8f76a.zip

diff --git a/src/firejail/fs_whitelist.c b/src/firejail/fs_whitelist.c index fd2a29372..9203e3d00 100644 --- a/src/firejail/fs_whitelist.c +++ b/src/firejail/fs_whitelist.c
@@ -213,6 +213,15 @@ void fs_whitelist(void) {
213		213
214	// check for supported directories	214	// check for supported directories
215	if (strncmp(new_name, cfg.homedir, strlen(cfg.homedir)) == 0) {	215	if (strncmp(new_name, cfg.homedir, strlen(cfg.homedir)) == 0) {
		216	// whitelisting home directory is disabled if --private or --private-home option is present
		217	if (arg_private) {
		218	if (arg_debug)
		219	printf("Removed whitelist path %s, --private option is present\n", entry->data);
		220
		221	*entry->data = '\0';
		222	continue;
		223	}
		224
216	entry->home_dir = 1;	225	entry->home_dir = 1;
217	home_dir = 1;	226	home_dir = 1;
218	// both path and absolute path are under /home	227	// both path and absolute path are under /home
@@ -271,6 +280,7 @@ void fs_whitelist(void) {
271		280
272	// create mount points	281	// create mount points
273	fs_build_mnt_dir();	282	fs_build_mnt_dir();
		283
274		284
275	// /home/user	285	// /home/user
276	if (home_dir) {	286	if (home_dir) {


diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c index 384688b54..c105894bb 100644 --- a/src/firejail/sandbox.c +++ b/src/firejail/sandbox.c
@@ -354,13 +354,7 @@ int sandbox(void* sandbox_arg) {
354	//****************************	354	//****************************
355	if (cfg.profile) {	355	if (cfg.profile) {
356	// apply all whitelist commands ...	356	// apply all whitelist commands ...
357	if (arg_whitelist) {	357	fs_whitelist();
358	// whitelist commands are disabled if --private or --private-home option is present
359	if (arg_private == 0)
360	fs_whitelist();
361	else
362	fprintf(stderr, "Warning: whitelists disabled by private or private-home\n");
363	}
364		358
365	// ... followed by blacklist commands	359	// ... followed by blacklist commands
366	fs_blacklist();	360	fs_blacklist();


diff --git a/test/private-whitelist.exp b/test/private-whitelist.exp new file mode 100755 index 000000000..b78eb3b61 --- /dev/null +++ b/test/private-whitelist.exp
@@ -0,0 +1,36 @@
		1	#!/usr/bin/expect -f
		2
		3	set timeout 10
		4	spawn $env(SHELL)
		5	match_max 100000
		6
		7	send -- "firejail --private --whitelist=/tmp/.X11-unix\r"
		8	expect {
		9	timeout {puts "TESTING ERROR 1\n";exit}
		10	"Child process initialized"
		11	}
		12	sleep 1
		13
		14	send -- "ls -al /tmp\r"
		15	expect {
		16	timeout {puts "TESTING ERROR 2\n";exit}
		17	".X11-unix"
		18	}
		19	sleep 1
		20
		21	send -- "ls -a /tmp \| wc\r"
		22	expect {
		23	timeout {puts "TESTING ERROR 3\n";exit}
		24	"3"
		25	}
		26	sleep 1
		27
		28	send -- "ls -a ~ \| wc\r"
		29	expect {
		30	timeout {puts "TESTING ERROR 4\n";exit}
		31	"4"
		32	}
		33
		34	sleep 1
		35	puts "\nall done\n"
		36


diff --git a/test/test.sh b/test/test.sh index 61e5cce35..fdb1f8ed7 100755 --- a/test/test.sh +++ b/test/test.sh
@@ -30,6 +30,9 @@ echo "TESTING: private-etc"
30	echo "TESTING: private-bin"	30	echo "TESTING: private-bin"
31	./private-bin.exp	31	./private-bin.exp
32		32
		33	echo "TESTING: private whitelist"
		34	./private-whitelist.exp
		35
33	sleep 1	36	sleep 1
34	rm -fr dir\ with\ space	37	rm -fr dir\ with\ space
35	mkdir dir\ with\ space	38	mkdir dir\ with\ space